ICO consultation on the draft updated data 
sharing code of practice 


Qi Does the updated code adequately explain and advise on the new aspects of 
data protection legislation which are relevant to data sharing? 


© Yes 
O No 


Q2 If not, please specify where improvements could be made. 


Q3 Does the draft code cover the right issues about data sharing? 


© Yes 
© No 


Q4 If no, what other issues would you like to be covered in it? 


Q5 Does the draft code contain the right level of detail? 
© Yes 
© No 


Q6__siIf no, in what areas should there be more detail within the draft code? 


Q7 Has the draft code sufficiently addressed new areas or developments in data 


protection that are having an impact on your organisation’s data sharing 
practices? 


© Yes 
© No 


Q8 


Q9 


Q10 


Q11 


If no, please specify what areas are not being addressed, or not being 
addressed in enough detail. 


Does the draft code provide enough clarity on good practice in data sharing? 


© Yes 
O No 


If no, please indicate the section(s) of the draft code which could be improved, 
and what can be done to make the section(s) clearer. 


Does the draft code strike the right balance between recognising the benefits of 
sharing data and the need to protect it? 


© Yes 
O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios relevant to 
your organisation? 


© Yes 
© No 


Q14 Please provide any further comments or suggestions you may have about the 
draft code. 


In the Data Pooling section there is a comment that ‘Data pooling is a form of data sharing 
where organisations decide together to pool information they hold and make it available to 
each other, or to different organisations. The organisations responsible for the data sharing 
would be regarded as joint controllers under Article 26 of the GDPR.’ Itis felt that this is a 
little too general as a statement. It would be better to say controllers are likely to be joint, 
but you need to assess each controller as to whether and to what extent they are involved 
in decisions on purposes and means. This is best described by an example - the 
Summary Care Record (SCR) has NHS Digital as the data controller. Contributing practices 
are not, but they are pooling data. Practices are not involved in determining both the 
purposes and means of the SCR, so logically they aren’t joint controllers. It would be useful 
if they could link this to any guidance to help determine joint controllership as it is key to 
many DSAs etc. 


Q15 To what extent do you agree that the draft code is clear and easy to 
understand? 
© Strongly agree 
© Agree 
©) Neither agree nor disagree 
© Disagree 
© Strongly disagree 


Q16 Are you answering as: 
O An individual acting in a private capacity (e.g. someone providing their 
views as a member of the public of the public) 
© An individual acting in a professional capacity 
© On behalf of an organisation 
O Other 


Q17 Please specify 


Q18 Please specify 
National Strategic IG Network please 


Q19 Please specify 


Thank you for taking the time to share your views and experience. 


